IPsec VPN to an Azure with virtual WAN
This is a sample configuration of an IPsec site-to-site VPN connection between an on-premise FortiGate and an Azure virtual network (VNet). This example uses Azure virtual WAN (vWAN) to establish the VPN connection.
|
To configure IKEv2 IPsec site-to-site VPN to an Azure VPN gateway:
- In the Azure management portal, configure vWAN-related settings as described in Tutorial: Create a Site-to-Site connection using Azure Virtual WAN.
If a custom BGP IP address is configured on Azure's vWAN, such as 169.254.21.6 and 169.254.21.7, you must configure the FortiGate
remote-IP
to the corresponding Custom BGP IP Address value. If a custom BGP IP address is not configured, FortiGateremote-IP
s should point to the Default BGP IP Address value. - Download the VPN configuration. The following shows an example VPN configuration:
[ {"configurationVersion":{"LastUpdatedTime":"2019-07-16T22:16:28.0409002Z","Version":"be5c5787-b903-43b1-a237-49eae1b373e4"},"vpnSiteConfiguration":{"Name":"toaws","IPAddress":"3.220.252.93","BgpSetting":{"Asn":7225,"BgpPeeringAddress":"169.254.24.25","PeerWeight":32768},"LinkName":"toaws"},"vpnSiteConnections":[{"hubConfiguration":{"AddressSpace":"10.1.0.0/16","Region":"West US","ConnectedSubnets":["10.2.0.0/16"]},"gatewayConfiguration":{"IpAddresses":{"Instance0":"52.180.90.47","Instance1":"52.180.89.94"},"BgpSetting":{"Asn":65515,"BgpPeeringAddresses":{"Instance0":"10.1.0.7","Instance1":"10.1.0.6"},"PeerWeight":0}},"connectionConfiguration":{"IsBgpEnabled":true,"PSK":"Fortinet123#","IPsecParameters":{"SADataSizeInKilobytes":102400000,"SALifeTimeInSeconds":3600}}}]} ]
- Configure the following on the FortiGate. Note for
set proposal
, you can select from several proposals.config vpn ipsec phase1-interface
edit "toazure1"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set proposal aes256-sha1
set dhgrp 2
set remote-gw 52.180.90.47
set psksecret ENC BJeE+CnBFbdepvvMMfXmb1QlWmB/QfxAvSuj0/Ol3KI3LgP0ac1Rc80YJRHN2Q7ocGpF96/7F0MCNRjAEk62wQHeHNi8zQKc0DGTffRIyf/ln6l3JMp+r2hVFTv41HlzfKlE5L+rOuSPj4y941rJVPjIx9aID7dAYUMUh/D1elTB/PqAXAt
0JU+9gDbki4br5Zq8tQ==
next
edit "toazure2"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set proposal aes256-sha1
set dhgrp 2
set remote-gw 52.180.89.94
set psksecret ENC sNVpQEGX79oH3u57I6AjipdPALYIERj7CMDSJY7RG39g0yUmPVJVcq1+u5v3gA6URhzaD3NjqUoIfJD3yOE34mIWFo9Q6skowGnQURlQxukENC8kTpEl3YqYESCKULoRc3/sVKDZItyjWcZ/0iHsqkCyWvm/jDJuy3UPxI7uOktkDtZPho8
wjnMYeKmMR5EaG28oSA==
next
end
config vpn ipsec phase2-interface
edit "toazure1"
set phase1name "toazure1"
set proposal aes256-sha1
set dhgrp 2
set keylifeseconds 3600
next
edit "toazure2"
set phase1name "toazure2"
set proposal aes256-sha1
set dhgrp 2
set keylifeseconds 3600
next
end
config system settings
set allow-subnet-overlap enable
end
config system interface
edit "toazure1"
set vdom "root"
set ip 169.254.24.25 255.255.255.255
set type tunnel
set remote-ip 10.1.0.7 255.255.255.255
set snmp-index 4
set interface "port1"
next
edit "toazure2"
set vdom "root"
set ip 169.254.24.25 255.255.255.255
set type tunnel
set remote-ip 10.1.0.6 255.255.255.255
set snmp-index 5
set interface "port1"
next
end
config router bgp
set as 7225
set router-id 169.254.24.25
config neighbor
edit "10.1.0.7"
set remote-as 65515
next
edit "10.1.0.6"
set remote-as 65515
next
end
config network
edit 1
set prefix 172.30.101.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
end
config redistribute "rip"
end
config redistribute "ospf"
end
config redistribute "static"
end
config redistribute "isis"
end
config redistribute6 "connected"
end
config redistribute6 "rip"
end
config redistribute6 "ospf"
end
config redistribute6 "static"
end
config redistribute6 "isis"
end
end
- Run
diagnose vpn tunnel list
. If the configuration was successful, the output should resemble the following:name=toazure1 ver=2 serial=3 172.30.1.83:4500->52.180.90.47:4500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=15 ilast=16 olast=36 ad=/0 stat: rxp=41 txp=41 rxb=5104 txb=2209 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=keepalive draft=0 interval=10 remote_port=4500 proxyid=toazure1 proto=0 sa=1 ref=2 serial=4 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=8926 expire=2463/0B replaywin=2048 seqno=2a esn=0 replaywin_lastseq=00000029 itn=0 life: type=01 bytes=0/0 timeout=3300/3600 dec: spi=c13f7928 esp=aes key=32 009a86bb0d6f5fee66af7b8232c8c0f22e6ec5c61ba19c93569bd0cd115910a9 ah=sha1 key=20 f05bfeb0060afa89d4afdfac35960a8a7a4d4856 enc: spi=b40a6c70 esp=aes key=32 a1e361075267ba72b39924c5e6c766fd0b08e0548476de2792ee72057fe60d1d ah=sha1 key=20 b1d24bedb0eb8fbd26de3e7c0b0a3a799548f52f dec:pkts/bytes=41/2186, enc:pkts/bytes=41/5120 ------------------------------------------------------ name=toazure2 ver=2 serial=4 172.30.1.83:4500->52.180.89.94:4500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/0 proxyid_num=1 child_num=0 refcnt=16 ilast=16 olast=16 ad=/0 stat: rxp=40 txp=40 rxb=4928 txb=2135 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=keepalive draft=0 interval=10 remote_port=4500 proxyid=toazure2 proto=0 sa=1 ref=2 serial=4 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=10626 type=00 soft=0 mtu=8926 expire=2427/0B replaywin=2048 seqno=29 esn=0 replaywin_lastseq=00000028 itn=0 life: type=01 bytes=0/0 timeout=3299/3600 dec: spi=c13f791d esp=aes key=32 759898cbb7fafe448116b1fb0fb6d2f0eb99621ea6ed8dd4417ffdb901eb82be ah=sha1 key=20 533ec5dc8a1910221e7742b12f9de1b41205622c enc: spi=67934bfe esp=aes key=32 9b5710bfb4ba784722241ec371ba8066629febcd75da6f8471915bdeb874ca80 ah=sha1 key=20 5099fed7edac2b960294094f1a8188ab42f34d7b dec:pkts/bytes=40/2087, enc:pkts/bytes=40/4976 Routing table for VRF=0 Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [5/0] via 172.30.1.1, port1 B 10.1.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01 C 10.1.0.6/32 is directly connected, toazure2 C 10.1.0.7/32 is directly connected, toazure1 B 10.2.0.0/16 [20/0] via 10.1.0.6, toazure2, 00:15:01 C 169.254.24.25/32 is directly connected, toazure1 is directly connected, toazure2 C 172.30.1.0/24 is directly connected, port1 C 172.30.101.0/24 is directly connected, port2